The ACL works if I try to access from other connected ports. However, it does not work on traffic from Site-to-Site VPN. In fact, I tried applying the ACL to Tunnel1 and it still allows access. Tried both inbound and outbound. Tried even an ACL with just "deny ip any any". No difference. Am I doing something wrong?

Re: Cannot drop traffic from Site-to-Site VPN using ACL

"the device" stated refers to the router with the ACL configured.

I tested from VPN peer, so it should be considered transit traffic. I know output ACL does not work on traffic originated from router, e.g. ping. But this is not what I am trying here. If VPN traffic terminated by a router is considered router generated traffic then essentially ACL cannot block anything coming from VPN. With VPN so widely used, this can't possibly be true?

Re: Cannot drop traffic from Site-to-Site VPN using ACL

I am not saying all VPN traffic terminated by a router is considered router generated traffic. I am saying if you generate traffic from the router itself, as in control/mgmt plane traffic - ping, ssh, telnet, dynamic routing protocol etc this would not be filtered by an ACL on that router's interface. If a PC connected to the LAN sends traffic over the VPN tunnel this is transit traffic, which is filtered by the outbound ACL.

You can filter inbound on the other VPN peer, which would filter the transit traffic and traffic originated by the other router.

part1 here https://community.cisco.com/t5/security-blogs/mitm-attack-ipsec-what-happens-if-attacker-knows-ipsec-pre/ba-p/3756562
A brief summary of the part1 : we showed that the security level of IPSec with preshared key is equal to the secu...
view more

I have just received an email that looks like the attached (redacted) email telling me that I need to activate my Cisco Security account. What do I do with this?
Answer
1. This is an entitlement for a Cisco Security account. It is used ...
view more

As one of the largest security companies in the world, we take great pride in building solutions that many thousands of organizations trust to secure their networks. Small businesses and large enterprises alike rely on Cisco firewalls to keep their organi...
view more